[security] Denial of service vulnerabilities in OpenSSL
Lorenzo Iannuzzi
nakis a libero.it
Gio 18 Mar 2004 11:15:51 CET
http://lwn.net/Articles/76121/
Versions 0.9.7a-c of the OpenSSL library suffer from two denial of
service vulnerabilities; see the version 0.9.7d release announcement for
details. Thus far, we have updates available from EnGarde, Red Hat (RHEL
2.1, RHEL 3), and SUSE.
http://lwn.net/Articles/76163/
More OpenSSL updates are coming in; the latest are from Debian,
MandrakeSoft and Netwosix. The full list of updates can be found in the
LWN vulnerability entry).
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml
An affected network device running an SSL server based on an affected
OpenSSL implementation may be vulnerable to a Denial of Service (DoS)
attack. There are workarounds available to mitigate the effects of this
vulnerability on Cisco products in the workaround section of this
advisory. Cisco is providing fixed software, and recommends that customers
upgrade to it when it is available.
http://www.freebsd.org/security/
When processing an SSL/TLS ChangeCipherSpec message, OpenSSL may fail to
check that a new cipher has been previously negotiated. This may result
in a null pointer dereference.
--
Ciao e alla prossima!
Lorenzo
-------------- parte successiva --------------
Un allegato non testuale è stato rimosso....
Nome: non disponibile
Tipo: application/pgp-signature
Dimensione: 244 bytes
Descrizione: non disponibile
Url: http://itlists.org/pipermail/security/attachments/20040318/817492f8/attachment.pgp
Maggiori informazioni sulla lista
security